Connecting to LDAP

LDAP defines directory operations for adding or deleting an entry, modifying an existing entry, and changing the name of an entry. However, LDAP is used primarily to search for information in the directory. The LDAP search operation allows a section of the directory to be searched for entries that match criteria specified by a search filter. From a programming perspective, LDAP is just another client/server data management system.

For example, the following code would extract employee data from an LDAP directory:

 <cfldap action="QUERY"         name="emp"         attributes="cn,o,l,c,mail,telephonenumber"         start="o=forta, c=US"         sort="cn ASC"         server="ldap.forta.com"> <!--- Display employees ---> <cfoutput> There were #emp.RecordCount# employees found. </cfoutput> <table>  <tr>  <th>Name</TH>  <th>Organization</th>  <th>Location</th>  <th>EMail</th>  <th>Phone</th>  </tr>  <cfoutput query="emp">  <tr>  <td>#cn#</td>  <td>#o#</td>  <td>#l#, #c#</td>  <td><a href="mailto:#mail#">#mail#</a></td>  <td>#telephonenumber#</td>  </tr>  </cfoutput> </table>

The ATTRIBUTES parameter dictates which entitiesor in a database sense, which columnsthe search returns. START nominates the branch in the directory hierarchy at which the search should start. We are sorting by common name in ascending order. Matching information is returned as a query object specified by the NAME attribute. See Table 42.1 for more <cfldap> attributes.

Table 42.1. `<cfldap>` Attributes and Their Use
VARIABLE NAMES	DESCRIPTION
`action`	Must be `add`, `modify`, `modifydn`, `delete`, or `query`.
`attributes`	Comma-delimited list of attributes to be returned in the `QUERY` or updated on the directory.
`delimiter`	Delimiter used in multiple name-value pairs.
`dn`	Distinguished name (`DN`) is the directory key for the entity being updated.
`filter`	The `filter` attribute is more akin to the search criteria of a query rather than an actual filter. No filter returns all entries.
`filterfile`	An absolute file path or filename in `cfusionldap` that conforms to the LDAP filter file format (as defined in RFC 1558).
`maxrows`	The maximum number of rows returned. May be superseded by a `maxrows` setting on the LDAP directory itself.
`modifytype`	Specifies how to process a value in a multivalue list. May be `ADD`, `DELETE`, or `REPLACE.`
`name`	The name of the query object returned by `<cfldap>.`
`password`	Login password needed for authenticated directory access. This is typically required to perform updates on the directory.
`rebind`	Specifies whether referral callback is used. If not, referred connections are anonymous.
`referral`	Number of hops used for referral (if `rebind` is used).
`scope`	The depth to which the search will run in the directory hierarchy. Defaults to `ONELEVEL.`
`secure`	Provides security options for encrypting the transmission of data to and from the LDAP server.
`separator`	Delimiter used in multivalue attributes; the default is a comma.
`server`/`port`	Required to locate the `LDAP` server. `server` can be a qualified domain name or an IP address. `PORT` defaults to `389`.
`sort`	An attribute listed in `ATTRIBUTES`. `sort` can be either ascending (`ASC`) or descending (`DESC`). This attribute may not be supported on all servers.
`sortcontrol`	Enter `NOCASE` for non-case-sensitive sorting.
`start`	Specifies the DN of the entry branch from which to start the search.
`startrow`	Start row of a query; useful for building a Next/Previous-style results page. Defaults to `1.`
`timeout`	Operational time-out. Defaults to 60 seconds.
`username`	Login user name needed for authenticated directory access. This is typically required to perform updates on the directory.

Displaying query objects with <cfoutput> is discussed in Chapter 7, "Using Databases."

LDAP offers a collection of filter operators. These can be used to apply Boolean and wildcard searches on the directory entries. For example, restricting a search to an organization name of Forta and a country of US could be done using the following line:

 filter=(&(o=Forta)(c=US))

<cfldap> provides actions for updating LDAP directories. Typically a username and password with appropriate permissions are required to perform additions or modifications to the directory. For modifications or deletions, you will need to know the distinguished name, which acts like a database primary key. Lastly, the attributes parameter is used to specify a list of LDAP attributes to be updated or added to the hierarchy:

 <cfldap action="add"         dn="cn=Ben Forta, ou=Development, o=forta.com"         attributes="objectclass=top, person, organizationalPerson;         mail=ben@forta.com;         telephonenumber=555-5555;         ou=Development"         modifytype="REPLACE"         server="ldap.forta.com"         username="cn=admin, ou=IT, o=forta.com"         password="tralala">

In this example, a DN for an administrator, admin, is used as the username; the particular record being updated is specified in the DN attribute; and the attributes list the values for updating an entry for Ben Forta.

note

If a single attribute value contains a comma, you must escape it by adding an extra comma.

Table 42.1. <cfldap> Attributes and Their Use

Table 42.1. `<cfldap>` Attributes and Their Use